* Eygene Ryabinkin <rea@grid.kiae.ru> [2014-05-08 11:12]:
Except for that whole mac address thing, that crashes networks...
* Blake Dunlap <ikiris@gmail.com> [2014-05-08 03:19]: this lie doesn't get any more true by repeating them over and over. So, you insist that VRRP and CARP instances with the same VRID/VHID in
Henning, Thu, May 08, 2014 at 09:35:00AM +0200, Henning Brauer wrote: the same L2 segment will coexist peacefully? I had seen problems with such setup, so if you can enlighten me how to overcome them (rather than saying "you must choose different VRID/VHID") -- it will be very good.
you shouldn't see issues but log spam. I haven't seen anotehr issue and I haven't seen a single report claiming otherwise over the last 10 years either, minus the mentioned cisco 3600 "don't bother checking the version number field before parsing on" screwup. -- Henning Brauer, hb@bsws.de, henning@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
On 08/05/2014 11:25, Henning Brauer wrote:
you shouldn't see issues but log spam.
maybe you misunderstand the problem. If you have vrrp and carp on the same vlan, using the same vrrp group ID as VHID, then each virtual IP will arp for the same mac address on that vlan. This messes up the switch's forwarding table for that particular vlan because it sees multiple entries from different ports for the same mac address. Switches will not do unicast replication in this situation, but instead will forward all traffic for a particular destination mac address to the port which announced the mac address most recently. In other words, this is much more serious than log spam: it is guaranteed to cause network downtime, because you cannot have two hosts on the same L2 domain using the same mac address, but doing different things. Nick
* Nick Hilliard <nick@foobar.org> [2014-05-08 13:03]:
On 08/05/2014 11:25, Henning Brauer wrote:
you shouldn't see issues but log spam. maybe you misunderstand the problem. If you have vrrp and carp on the same vlan, using the same vrrp group ID as VHID, then each virtual IP will arp for the same mac address on that vlan.
correct.
This messes up the switch's forwarding table for that particular vlan because it sees multiple entries from different ports for the same mac address.
correct. my switches seem to deal with that, wether they have special handling for that mac addr range or not i dunno. again, stress the fact that afair we have gotten zero reports about that "issue" for 10 years, it obviously means that either 1) a vast majority of switches deal with it just fine 2) people know that vhids shouldn't clash and avoid that -- Henning Brauer, hb@bsws.de, henning@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
On 08/05/2014 12:09, Henning Brauer wrote:
my switches seem to deal with that, wether they have special handling for that mac addr range or not i dunno.
I've seen this problem cause downtime on production networks. fyi, it will probably work fine on hubs, but not on switches.
again, stress the fact that afair we have gotten zero reports about that "issue" for 10 years, it obviously means that either 1) a vast majority of switches deal with it just fine 2) people know that vhids shouldn't clash and avoid that
https://www.google.com/search?q=vrrp+carp+incompatible Several of the results refer to openbsd mailing list postings. Nick
On 8/05/2014, at 11:09 pm, Henning Brauer <hb-nanog@bsws.de> wrote:
* Nick Hilliard <nick@foobar.org> [2014-05-08 13:03]:
On 08/05/2014 11:25, Henning Brauer wrote: you shouldn't see issues but log spam. maybe you misunderstand the problem. If you have vrrp and carp on the same vlan, using the same vrrp group ID as VHID, then each virtual IP will arp for the same mac address on that vlan.
correct.
This messes up the switch's forwarding table for that particular vlan because it sees multiple entries from different ports for the same mac address.
correct.
my switches seem to deal with that, wether they have special handling for that mac addr range or not i dunno.
What make and model switches? I am sure someone here can easily verify their behaviour and if they have some baked in pixie dust to handle this. But a pure l2 switch should not be able to mask the issue given all it has to go on is MAC so you would either see excessive flooding of a unicast MAC, or black holing of VRRP or CARP. Neither of which are desirable and given that the flooding would lead to serious security issues worries me from such a security focused community as the OpenBSD community professes to be.
again, stress the fact that afair we have gotten zero reports about that "issue" for 10 years, it obviously means that either 1) a vast majority of switches deal with it just fine 2) people know that vhids shouldn't clash and avoid that
-- Henning Brauer, hb@bsws.de, henning@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
participants (3)
-
Geraint Jones -
Henning Brauer -
Nick Hilliard